When ipa-lockout plugin is started during FreeIPA server installation,
the default realm may not be available and plugin should then not end
with failure.
Similarly to other plugins, start in degraded mode in this situation.
Operation is fully restored during the final services restart.
https://fedorahosted.org/freeipa/ticket/4085
--
Martin Kosek mko...@redhat.com
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From d93624c0b84685b1686717b9f946c713aea6f9ff Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue, 4 Feb 2014 11:02:34 +0100
Subject: [PATCH] ipa-lockout: do not fail when default realm cannot be read
When ipa-lockout plugin is started during FreeIPA server installation,
the default realm may not be available and plugin should then not end
with failure.
Similarly to other plugins, start in degraded mode in this situation.
Operation is fully restored during the final services restart.
https://fedorahosted.org/freeipa/ticket/4085
---
.../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c| 34 +++---
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
index 5a24359d319aaea28773daa01d268d2d46583270..265c2701c36fe78486a2bdd4a66366b0b05472a0 100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
@@ -176,23 +176,23 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
krberr = krb5_init_context(krbctx);
if (krberr) {
LOG_FATAL(krb5_init_context failed (%d)\n, krberr);
-ret = LDAP_OPERATIONS_ERROR;
-goto done;
-}
-
-krberr = krb5_get_default_realm(krbctx, realm);
-if (krberr) {
-LOG_FATAL(Failed to get default realm (%d)\n, krberr);
-ret = LDAP_OPERATIONS_ERROR;
-goto done;
-}
-
-ipa_global_policy = slapi_ch_smprintf(cn=global_policy,cn=%s,cn=kerberos,%s,
- realm, basedn);
-if (!ipa_global_policy) {
-LOG_OOM();
-ret = LDAP_OPERATIONS_ERROR;
-goto done;
+/* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
+ * or is misconfigured. Start up in a degraded mode.
+ */
+} else {
+krberr = krb5_get_default_realm(krbctx, realm);
+if (krberr) {
+LOG_FATAL(Failed to get default realm (%d)\n, krberr);
+} else {
+ipa_global_policy =
+slapi_ch_smprintf(cn=global_policy,cn=%s,cn=kerberos,%s,
+ realm, basedn);
+if (!ipa_global_policy) {
+LOG_OOM();
+ret = LDAP_OPERATIONS_ERROR;
+goto done;
+}
+}
}
ret = asprintf(dn, cn=ipaConfig,cn=etc,%s, basedn);
--
1.8.5.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel